1
00:00:00,000 --> 00:00:13,920
This is Hacker Public Radio episode 4,047 for Tuesday 6 February 2024.

2
00:00:13,920 --> 00:00:19,360
Today's show is entitled, Change Your Passwords Once in a while.

3
00:00:19,360 --> 00:00:23,920
It is hosted by Delta Ray and is about 16 minutes long.

4
00:00:23,920 --> 00:00:26,520
It carries a clean flag.

5
00:00:26,520 --> 00:00:31,480
The summary is, Delta Ray provides compelling arguments for why you should change your

6
00:00:31,480 --> 00:00:42,320
passwords periodically.

7
00:00:42,320 --> 00:00:45,360
Hi, I'm Delta Ray and welcome to Hacker Public Radio.

8
00:00:45,360 --> 00:00:50,240
Have you ever accidentally typed in your password into the username field and then

9
00:00:50,240 --> 00:00:56,160
pressed enter and hope that nobody saw that or that it was logged in place?

10
00:00:56,160 --> 00:01:02,520
I remember back in the 1990s, I was in a college class and a college professor did

11
00:01:02,520 --> 00:01:03,880
just that.

12
00:01:03,880 --> 00:01:11,280
They had their login screen on a Sun Solaris workstation projected over onto the screen

13
00:01:11,280 --> 00:01:16,640
for the whole class to see and then they proceeded to type in their password into the

14
00:01:16,640 --> 00:01:19,080
username field and everybody could see it.

15
00:01:19,080 --> 00:01:23,240
I kind of looked around and see if anybody was writing this down or something.

16
00:01:23,240 --> 00:01:30,360
I didn't write it down because I thought that was a bad mistake but you never know who

17
00:01:30,360 --> 00:01:37,560
knows your password now or maybe you've gone to some free unencrypted hotel Wi-Fi at a

18
00:01:37,560 --> 00:01:45,200
conference or a hotel or maybe at a public birch or something like that and then you use

19
00:01:45,200 --> 00:01:52,720
that to type in your password to get back to some unencrypted HTTP website that you run or something

20
00:01:52,720 --> 00:01:55,120
like that.

21
00:01:55,120 --> 00:01:57,480
Change your passwords every once in a while.

22
00:01:57,480 --> 00:02:05,280
I know that there's this missed recommendation that in the past would tell companies that

23
00:02:05,280 --> 00:02:09,280
they had, you know, they should force their employees to make a password change every 90

24
00:02:09,280 --> 00:02:10,720
days or whatever.

25
00:02:10,720 --> 00:02:15,760
This isn't what I'm really talking about and so if your first instinct when I tell you

26
00:02:15,760 --> 00:02:19,920
to change your password is to say, oh, that doesn't actually work.

27
00:02:19,920 --> 00:02:23,680
Well, I'm not talking about a forced password change policy.

28
00:02:23,680 --> 00:02:29,800
I'm talking about you personally in order to reduce the risk of your accounts being compromised.

29
00:02:29,800 --> 00:02:35,640
You should consider changing your passwords, you know, maybe every couple years or once

30
00:02:35,640 --> 00:02:37,600
a year or something.

31
00:02:37,600 --> 00:02:43,920
If you find yourself saying, I like my password, I, you know, I'm attached to it.

32
00:02:43,920 --> 00:02:49,600
That's probably when it's time to change it because that kind of attitude leads to

33
00:02:49,600 --> 00:02:53,560
holding on to that password for much longer than you need to.

34
00:02:53,560 --> 00:03:01,120
And as time goes by, your risk of your password being known through some means only increases,

35
00:03:01,120 --> 00:03:08,200
you know, have you been using the same password for five years, 10 years, 15, 20 years

36
00:03:08,200 --> 00:03:14,480
who knows, maybe 20 years ago you picked a really strong password that's been able to

37
00:03:14,480 --> 00:03:16,680
meet the requirements.

38
00:03:16,680 --> 00:03:17,680
And that's great.

39
00:03:17,680 --> 00:03:21,800
You know, you're able to meet the requirements of what is a strong password and it's

40
00:03:21,800 --> 00:03:30,320
it's held up over 20 years, but there's a good chance that, you know, you've exposed

41
00:03:30,320 --> 00:03:36,640
that password somehow over the past 20 years, whether it be system administrators, logging

42
00:03:36,640 --> 00:03:41,320
clear text passwords for the purpose of debugging and your password ending up in a log

43
00:03:41,320 --> 00:03:47,560
file somewhere or shoulder surfing or typing in well, there's surveillance cameras watching

44
00:03:47,560 --> 00:03:52,600
you and, you know, somebody behind the surveillance camera can see what you're typing.

45
00:03:52,600 --> 00:03:57,920
Maybe you got infected with malware and a keystroke logger recorded your password.

46
00:03:57,920 --> 00:04:02,720
One of the more extreme pieces of research that was done was that some cybersecurity

47
00:04:02,720 --> 00:04:08,280
researchers were able to do audio analysis of some of the typing and produce a list

48
00:04:08,280 --> 00:04:15,040
of likely candidates for what you typed in based on the distance between keystrokes that

49
00:04:15,040 --> 00:04:18,440
were pressed and so on.

50
00:04:18,440 --> 00:04:22,200
Maybe you've said your password in your sleep, you know, especially if it's like a

51
00:04:22,200 --> 00:04:27,080
passphrase, you might have actually set it out loud and you just don't know it, or

52
00:04:27,080 --> 00:04:32,480
being able to guess it, you know, somebody might be profiling you, somebody might see what

53
00:04:32,560 --> 00:04:38,960
your personal interests are and maybe, you know, you like some sports team or some, you

54
00:04:38,960 --> 00:04:43,280
know, soft drink or something like that, and you work that into your password or your

55
00:04:43,280 --> 00:04:48,800
kids, ages or, you know, all kinds of things that people use in their passwords, there's

56
00:04:48,800 --> 00:04:53,640
a great Jimmy Kimmel episode where he interviews, where they interviewed people on the

57
00:04:53,640 --> 00:04:58,360
street and they're able to basically get their password out of them just by asking them

58
00:04:58,360 --> 00:05:01,600
some personal questions.

59
00:05:01,600 --> 00:05:09,240
But over time, you know, there's the likelihood that you've exposed it just goes up.

60
00:05:09,240 --> 00:05:14,880
In my own experience, I've been a system administrator since the 90s working at an internet

61
00:05:14,880 --> 00:05:21,840
provider and running a web hosting company and, you know, working as a system in other

62
00:05:21,840 --> 00:05:24,720
locations, large enterprises and stuff like that.

63
00:05:24,720 --> 00:05:29,760
I've had people tell me their passwords just outright because they're trying to be helpful

64
00:05:29,760 --> 00:05:32,920
in solving their problem.

65
00:05:32,920 --> 00:05:37,440
I've seen passwords, you know, people accidentally typing them into username fields

66
00:05:37,440 --> 00:05:43,080
and stuff like that, or I've turned on a clear text password logging for the purpose

67
00:05:43,080 --> 00:05:49,720
of debugging one account, you know, maybe just for a short time, but, you know, turning

68
00:05:49,720 --> 00:05:55,360
it off afterwards and then, you know, clearing the logs, but there's to say that somebody

69
00:05:55,360 --> 00:06:00,280
just didn't just leave that on all the time and you don't know, you don't know what

70
00:06:00,280 --> 00:06:05,920
the system administrators are doing where you're using services and one of the biggest

71
00:06:05,920 --> 00:06:12,760
problems that people have is that they reuse their passwords in multiple places and this

72
00:06:12,760 --> 00:06:18,920
is like, you know, one of the number one reasons why accounts are compromised because you

73
00:06:18,920 --> 00:06:25,280
may be logging to some tech forum someplace and you use the same password that you do

74
00:06:25,280 --> 00:06:32,760
for your email or your bank account or your workstation at home or laptop and that forum

75
00:06:32,760 --> 00:06:37,800
got compromised because they weren't that careful with the security at that forum, maybe

76
00:06:37,800 --> 00:06:43,200
it was just some small, you know, forum that was run by somebody who didn't have a lot

77
00:06:43,200 --> 00:06:50,800
time to secure it and then now the, you know, the malicious actors have a log of your

78
00:06:50,800 --> 00:06:56,880
password and maybe, you know, the forum even had a tie back to your email account where

79
00:06:56,880 --> 00:07:02,840
you get your email normally and stuff and so over time, they might sit on those things

80
00:07:02,840 --> 00:07:09,080
for a long time and then watch waltz through all the security controls for online password

81
00:07:09,080 --> 00:07:15,000
protection just bypassing them and getting into your account and, you know, ten years

82
00:07:15,000 --> 00:07:18,920
later, you're like, how did they just get into my account? Well, it's because they've been

83
00:07:18,920 --> 00:07:24,880
keeping track of all this stuff for years. There's a great website called Have I Been

84
00:07:24,880 --> 00:07:30,840
Pond by Tony Hunt that, you know, you can go there and you can type in your email address

85
00:07:30,840 --> 00:07:36,680
and see if your account has been compromised someplace where your password might be known

86
00:07:36,680 --> 00:07:42,840
from various different data breaches that have happened over the years. And so yeah, don't

87
00:07:42,840 --> 00:07:48,840
get too attached to your passwords. The point, you know, when they say choose a strong

88
00:07:48,840 --> 00:07:54,000
password and they usually give you like all these requirements, you know, upper lower case

89
00:07:54,000 --> 00:08:00,680
letters, length, matters and so on, you know, you make a longer password. It's less likely

90
00:08:00,680 --> 00:08:06,160
to be guessed because they have to go through more combinations to figure it out.

91
00:08:06,160 --> 00:08:14,800
And doing that kind of brute force guessing is all about getting a copy of the database

92
00:08:14,800 --> 00:08:20,720
and doing that attack offline instead of doing an online attack. You know, it's like when

93
00:08:20,720 --> 00:08:25,000
when you hear about people's passwords being compromised, there's a few different ways

94
00:08:25,000 --> 00:08:29,960
that they might do it. If they have to try to do an online attack, of course, they're

95
00:08:29,960 --> 00:08:34,160
going to, you know, like where they have to try to log into the service. Of course, there's

96
00:08:34,160 --> 00:08:38,880
hopefully going to be controls in place that will make it so that they can only try

97
00:08:38,880 --> 00:08:43,920
so many tries before they get blocked in the firewall or something like that. But an offline

98
00:08:43,920 --> 00:08:48,960
attack is where they use some other vulnerability of the system to grab a copy of the database

99
00:08:48,960 --> 00:08:54,640
and then run a brute force password guess or like John the Ripper or hashcat or something

100
00:08:54,640 --> 00:09:02,080
like that against the database, trying maybe millions or even billions of combinations per second

101
00:09:02,160 --> 00:09:08,400
to try to crash your password. And that's more than you can hope to protect against. So you

102
00:09:08,400 --> 00:09:15,360
have to choose one that's very strong and long. You know, I say at least 12 characters are more

103
00:09:15,360 --> 00:09:24,560
but probably even 16 characters are more at this point. And the whole point of those requirements

104
00:09:25,360 --> 00:09:31,200
is really and this is what they don't really tell you. The whole point of strong passwords

105
00:09:32,160 --> 00:09:38,160
is to make it so that the password is unguessable. That's, that's it. You know, it's like not

106
00:09:38,160 --> 00:09:43,120
guessable by humans either by, you know, them guessing what your password might be based on your

107
00:09:43,120 --> 00:09:51,680
interest or guessable by computers just doing, you know, combinations or maybe guessable by AI

108
00:09:51,680 --> 00:09:57,840
trying to profile you and doing combinations as a combination of of tactics. But it's really about

109
00:09:57,920 --> 00:10:03,520
making it so it's not guessable. And the reason why I say this because you might say, well, I choose

110
00:10:03,520 --> 00:10:09,200
this passphrase that's really long but it turns out it's a quote from a movie, you know, or something

111
00:10:09,200 --> 00:10:17,760
like that. And so it may be a 16 or 24 character passphrase but it really is important that

112
00:10:17,760 --> 00:10:24,880
it's not guessable. And so you, you know, maybe your best bet is to use what's called a dice where

113
00:10:24,960 --> 00:10:30,720
passphrase where you choose four different words from the dictionary by rolling a dice and like

114
00:10:30,720 --> 00:10:36,400
choosing the page of the dictionary or something like that can also use the the look command

115
00:10:37,360 --> 00:10:43,760
where, you know, you can use look in combination with a grip and X arcs to generate a dice where

116
00:10:43,760 --> 00:10:50,400
passphrase. Yeah, I mean, come up with a dice where passphrase. That way, you're not tying it to your

117
00:10:50,480 --> 00:10:57,120
personal interests that way. It's not based on, for instance, things that are in front of you. Like,

118
00:10:57,120 --> 00:11:03,840
you know, that you're reading off over whatever that could later be determined and so on.

119
00:11:04,400 --> 00:11:10,560
And use a password manager. This one is kind of a touchy subject for some people. A password

120
00:11:10,560 --> 00:11:16,640
manager, even though some of them, you know, have had security problems over the years, is

121
00:11:17,600 --> 00:11:25,040
generally a better option than just reusing the same password everywhere or using a weaker password

122
00:11:25,920 --> 00:11:37,520
everywhere. So find a trusted vetted password manager, you know, there's like one password and and

123
00:11:38,480 --> 00:11:47,200
bit warden and in the past, you know, last pass was concert really good, but they've done some stuff

124
00:11:47,200 --> 00:11:53,040
that over the years have has become more questionable. Initially, you know, it wasn't such a big deal

125
00:11:53,040 --> 00:12:00,800
for the URL to be known and be unencrypted. But of course, they started back in the 2000s when

126
00:12:01,600 --> 00:12:07,840
before a time that authentication tokens were showing up in URLs and stuff like that. And so

127
00:12:07,840 --> 00:12:14,080
that practice that they had has, has over time become more questionable. But for a long time,

128
00:12:14,080 --> 00:12:20,800
last pass was doing things the right way and was considered a safe option. But now, you know,

129
00:12:20,800 --> 00:12:28,320
things have kind of changed. And I would caution you about just running away whenever there's a

130
00:12:28,320 --> 00:12:33,840
security problem in a password manager. There's going to be security problems in password managers,

131
00:12:33,840 --> 00:12:40,480
but it's all about where they're doing the right thing and managing the way the binary blob

132
00:12:40,480 --> 00:12:47,760
of your passwords was being handled. Are they responding to it? Well, is the security vulnerability

133
00:12:47,760 --> 00:12:55,120
that came up? Is it really affecting your password being seen in clear texts or not? If you,

134
00:12:55,200 --> 00:13:00,000
if we get into this habit of running away from a password manager, just because I had a security

135
00:13:00,000 --> 00:13:07,200
problem, we're going to run out of good options for security managers, for password managers,

136
00:13:07,200 --> 00:13:14,720
because only so many people know how to make them properly. Some companies, you know, they put the

137
00:13:14,720 --> 00:13:20,720
password on their end and they have a key to it and stuff like that. That's no good. You don't want

138
00:13:20,800 --> 00:13:25,440
them to have a key to it. And there's plenty of other articles and podcasts that talk about this

139
00:13:25,440 --> 00:13:33,520
thing. But what I'm here to say about it is we can't just blindly run away every time there's a

140
00:13:33,520 --> 00:13:40,800
security problem with a password manager, because unlike a lot of airsoftware, there's it's hard,

141
00:13:40,800 --> 00:13:44,800
you know, it's hard to make a good one. And there's only so many people are going to make good ones.

142
00:13:44,800 --> 00:13:49,920
And if we keep on running away from ones that are good, just because they have a security problem,

143
00:13:49,920 --> 00:13:55,120
we're going to run out of good options because we're going to end up boycotting all the good ones

144
00:13:55,120 --> 00:14:02,720
or something. So don't just quickly run away without really thinking about, is this really a problem

145
00:14:02,720 --> 00:14:10,160
or is it just a vulnerability that doesn't actually expose my credentials? It's just like they

146
00:14:10,160 --> 00:14:16,000
had a hack, but it didn't really expose my credentials. And just to be safe, you know, you might

147
00:14:16,320 --> 00:14:24,160
transfer, you know, change your master password on your, on your password manager or something.

148
00:14:24,160 --> 00:14:30,080
And the air thing I recommend is don't lick on the checkbox that says save your master password.

149
00:14:30,080 --> 00:14:35,280
That's the one that you need to remember. Don't click on the checkbox that says save your master

150
00:14:35,280 --> 00:14:40,800
password. You have to memorize that because when you do check on the box that says save your master

151
00:14:40,800 --> 00:14:48,320
password. Now you're putting your password database at risk by making it so that if somebody

152
00:14:48,320 --> 00:14:55,120
gets access to your browser cache or your browser configuration, they might be able to just turn on

153
00:14:55,520 --> 00:15:01,920
the password, you know, load up your browser and access your your password manager database.

154
00:15:02,720 --> 00:15:09,360
I've tested this before, like with last pass and it actually worked. So don't do that. I wish

155
00:15:09,360 --> 00:15:13,680
they wouldn't even put that there. And unfortunately, they probably get complaints from

156
00:15:14,400 --> 00:15:18,800
you know, users that say, why do you have to, you know, why do I have to memorize this master

157
00:15:18,800 --> 00:15:23,440
password? I thought you were supposed to make this easier and stuff. And so then they they change it.

158
00:15:24,000 --> 00:15:30,880
And then they put this bad option in there. Also use two factor, you know, try to use two

159
00:15:30,880 --> 00:15:37,760
factor authentication where you can. I know it's, it can be a pain sometimes, but it really is

160
00:15:37,760 --> 00:15:44,960
protecting you from the pop, you know, it's reducing your risk of having your your first factor

161
00:15:44,960 --> 00:15:50,560
password compromise taking over your account. That doesn't mean that two factors are silver bullet.

162
00:15:50,960 --> 00:15:57,840
There are, you know, ways that attackers are able to get around two factor by social engineering

163
00:15:57,840 --> 00:16:02,640
attacks and so on. So you still have to be careful, but it's definitely a lot better than

164
00:16:03,600 --> 00:16:11,680
than not having it. And um, yeah, okay. So thanks, and I'm curious to hear your comments and feedback

165
00:16:11,680 --> 00:16:17,680
about this and change your passwords once in a while. Okay. Bye.

166
00:16:21,680 --> 00:16:27,440
You have been listening to Hecker Public Radio at Hecker Public Radio.org. Today's show was

167
00:16:27,440 --> 00:16:33,440
contributed by a HBR this night like yourself. If you ever thought of recording podcast,

168
00:16:33,440 --> 00:16:41,040
click on our contributally to find out how easy it means. Hosting for HBR has been kindly provided

169
00:16:41,040 --> 00:16:49,200
by an onsthost.com, the internet archive and our sing.net. On the satellite stages, today's show is

170
00:16:49,200 --> 00:16:55,280
released on our creative comments, attribution for.0 international license.

171
00:16:57,440 --> 00:16:59,440
you